With breaches nearly certain, companies shift cybersecurity spending

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Jaiku­mar Vijayan, ThirdCertainty

For years, a major por­tion of secu­ri­ty bud­gets has been spent on perime­ter tech­nolo­gies like fire­walls, anti-virus soft­ware and intru­sion pre­ven­tion sys­tems. Orga­ni­za­tions have tend­ed to spend sub­stan­tial­ly less of their bud­gets on bol­ster­ing intru­sion detec­tion and response capa­bil­i­ties. But that final­ly may be changing.

A recent sur­vey con­duct­ed by Pierre Audoin Con­sul­tants (PAC) in the Unit­ed King­dom shows that the tra­di­tion­al split in spend­ing between plan­ning, prepar­ing and pre­vent­ing an attack ver­sus detect­ing and respond­ing to one, is nar­row­ing, even if only mod­est­ly. PAC polled 200 deci­sion-mak­ers in the U.K., France and Ger­many for their respons­es to a vari­ety of ques­tions per­tain­ing to secu­ri­ty spend­ing, perime­ter defens­es and inci­dent detec­tion response.

Info­graph­ic: Com­pa­nies plan shift in secu­ri­ty spending

The respons­es showed a shift in spend­ing toward detect-and-response capa­bil­i­ties and a cor­re­spond­ing move away from pre­ven­tion-and-pro­tec­tion tools in many orga­ni­za­tions. Over the next two years, orga­ni­za­tions that par­tic­i­pat­ed in the sur­vey expect to spend about 39 per­cent of their IT secu­ri­ty bud­get over­all on detec­tion and response, up 16 points from the 23 per­cent they cur­rent­ly spend on those capa­bil­i­ties. The medi­an spend is pro­ject­ed to rise 15 per­cent from 25 per­cent to 40 per­cent over the same period.

At the same time, spend­ing on pro­tec­tion-and-pre­ven­tion tools such as fire­walls and antivirus tools is expect­ed to trend down­ward 16 points, from an aver­age of around 77 per­cent today to 61 per­cent in 2017. The medi­an spend on these tech­nolo­gies is expect­ed to drop from 75 per­cent to 60 percent.

We see this as a rebal­anc­ing of cyber­se­cu­ri­ty spend to a more appro­pri­ate split of oper­a­tional atten­tion,” PAC said in its report. “While the focus on Pre­vent & Pro­tect needs to be main­tained, look­ing for breach­es and quick­ly reme­di­at­ing them has increased in pri­or­i­ty,” the report said.

Accept­ing the inevitable

The plans to increase spend­ing on inci­dent detec­tion and response reflect a grow­ing feel­ing among orga­ni­za­tions that breach­es are inevitable, said Dominic Trott, senior ana­lyst at PAC. But there are impor­tant caveats, he said.

Our sur­vey shows that protect/prevent remains the largest por­tion of spend, and is set to remain so in two years time,” Trott said. While spend­ing on detec­tion and response will increase, perime­ter tools will still account for six out of every 10 dol­lars spent on secu­ri­ty in two years.

No one is advo­cat­ing that orga­ni­za­tions should stop both­er­ing with end-point secu­ri­ty,” Trott said. “What we are see­ing is that detect/respond style secu­ri­ty approach­es rep­re­sent a grow­ing share of secu­ri­ty spending.”

The results come amid grow­ing evi­dence that tra­di­tion­al perime­ter tools are not only fail­ing to pre­vent breach­es but also do noth­ing to help orga­ni­za­tions detect them. In PAC’s sur­vey for instance, 67 per­cent of the respon­dents had suf­fered a data breach over the past year, while a full 100 per­cent said they had expe­ri­enced a breach at least once in the past. Near­ly sev­en in 10 of those who suf­fered a breach took between one month and six months on aver­age to detect the breach.

Detec­tion gets more difficult

The num­bers are sim­i­lar to those released by secu­ri­ty ven­dor Trust­wave ear­li­er this year, which also showed that orga­ni­za­tions are tak­ing increas­ing­ly longer to detect net­work and sys­tem intru­sions. Impor­tant­ly, the sur­vey also showed that a lack of inci­dent detec­tion-and response capa­bil­i­ties is seri­ous­ly hin­der­ing the abil­i­ty of many orga­ni­za­tions to spot an intru­sion into their net­works. In more than eight out of 10 of the 574 breach­es inves­ti­gat­ed by Trust­wave last year, an exter­nal par­ty report­ed the intru­sion to the vic­tim. In such sit­u­a­tions, orga­ni­za­tions took at least 126 days to detect the breach after ini­tial intru­sion, the Trust­wave sur­vey showed.

Despite this, most orga­ni­za­tions have typ­i­cal­ly tend­ed to give short shrift to com­put­er secu­ri­ty inci­dent response capa­bil­i­ties at least till recent­ly. A sur­vey last Jan­u­ary of 674 IT secu­ri­ty pro­fes­sion­als con­duct­ed by the Ponemon Insti­tute on behalf of Lan­cope showed that more than a third did not have a for­mal capa­bil­i­ty in place to respond to a com­put­er secu­ri­ty inci­dent. This was despite the fact that more than 80 per­cent agreed that invest­ments in secu­ri­ty inci­dent response are worthwhile.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

One pos­si­ble expla­na­tion is that inci­dent response invest­ments are viewed as reac­tive rather than pre­ven­ta­tive,” the report had not­ed. “Ide­al­ly, breach­es would not occur, and there­fore there would be no need for teams to respond to them.” Orga­ni­za­tions on lim­it­ed secu­ri­ty bud­gets like­ly find it eas­i­er to jus­ti­fy spend­ing on tech­nolo­gies that are designed to stop breach­es than on mea­sures for respond­ing after a breach, the report said.

For most orga­ni­za­tions, inci­dent response is a ser­vice rather than a prod­uct, Trott added. Typ­i­cal­ly, in such sit­u­a­tions, when a breach is detect­ed, a third par­ty is hired to con­duct a foren­sic analy­sis to iden­ti­ty weak spots and threat activ­i­ty and to close out any gaps.

That being said, there are tech­nolo­gies that can be offered in asso­ci­a­tion with this,” to improve response capa­bil­i­ties, Trott said. For exam­ple, inci­dent response process tools are avail­able these days from com­pa­nies like Resilient Sys­tems, which helps to make sure that users fol­low a robust process in react­ing to an inci­dent, he said. He not­ed that Resilient was one of the spon­sors of the survey.

Equal­ly, there are appli­ances that sit with­in an organization’s IT envi­ron­ment and mon­i­tor activ­i­ty to iden­ti­fy mal­ware and anom­alous behavior.”

More on emerg­ing best practices
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era


Posted in Cybersecurity, Data Breach, News & Analysis